High Volume Automated Testing in Security Testing
Yesterday I gave a presentation at the Workshop on Teaching Software Testing 2013 focusing on High Volume Automated Testing. The goal was to introduce some of the test techniques (and terminology) which are used in security testing to the practitioners and educators involved in software testing. The following was cross posted on the WTST website.
Abstract:HiVAT offers potential advantages to the security field as it allows security testers to identify and locate potential security flaws quicker and more accurately than standard techniques. The security testing community needs tools which will allow them to counter the asymmetrical nature of security, in which the adversary potentially only needs to exploit a single flaw to achieve their goal but the defender must mitigate all vulnerabilities to achieve their goal. Three main testing areas exist within the field of security: compliance/certification testing, penetration testing/ethical hacking and vulnerability research. HiVAT techniques are used within the penetration testing/ethical hacking and vulnerability research areas. Compliance/certification testing is not able to leverage these techniques as the information objectives are different than the other two areas of testing. Even though this technique is used, it may be subject to the misconception that HiVAT is simply just repeatedly running a large number of small tests. HiVAT can be effectively leveraged for vulnerability identification, countermeasure/filter evasion, and lastly exploitation resulting in security tests which are more thorough than common assessment techniques.
HiVAT in Security Testing